[unisog] Windows 2000 break-ins

John Stauffacher stauffacher at chapman.edu
Fri Sep 6 00:09:52 GMT 2002


Sounds more like a strain of Nimda than anything else...

++
John Stauffacher
Network Administrator
Chapman University
stauffacher at chapman.edu
714-628-7249

-----Original Message-----
From: Mark L. VanScoyk [mailto:MarkieV at uwyo.edu] 
Sent: Thursday, September 05, 2002 4:27 PM
To: unisog at sans.org
Subject: RE: [unisog] Windows 2000 break-ins

We have had a rash of attacks starting in early August.  We have had
some machines that were hacked that we know had strong Administrator
passwords.  The theory we have been working from is that someone with
administrative access to one of those boxes logged into a machine that
had a blank administrative password and the attack piggy backed on their
credentials.  However, this is a shot in the dark as we have not been
able to find any files that are actually a worm. 

In our findings it leaves the following behind:
A blank administrator password
Enables the guest account
Adds guest to administrators
Removes the user right to access the computer from the network
Installs an IRC server (actually from our logs this may have happened at
a later date due to the blank administrator password left behind by the
original attack).


-----Original Message-----
From: Jeff Bollinger [mailto:jeff01 at email.unc.edu] 
Sent: Thursday, September 05, 2002 4:06 PM
To: Gary Flynn
Cc: unisog at sans.org
Subject: Re: [unisog] Windows 2000 break-ins

I think that Microsoft document is a stab in the dark.  We've been 
seeing similar attacks all summer long, and they are continuing.  The 
name of the files on compromised systems varies enormously to the point 
that you really can't predict, or even look for similar patterns.  Most 
all of these are related to having blank administrator passwords.  The 
KB article offers nothing new really.  What you should really be 
watching for are connections to IRC servers (particularly XDCC traffic),

and monitoring the bandwidth those connections are consuming.

Jeff

Gary Flynn wrote:
> A few months ago, there was a spate of break-ins that
> involved IRC floods and backdoor trojans. I believe that
> weak or nonexistent Administrator passwords were
> thought to be partially at fault.
> 
> I just ran across a Microsoft security bulletin warning
> of a new spate of what looks to me to be similar incidents.
> Anyone seeing anything?
> 
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q328691
> 

-- 
Jeff Bollinger
University of North Carolina
IT Security Analyst
105 Abernethy Hall
mailto: jeff_bollinger at unc dot edu

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjzETQsACgkQvoVlxVBmgsXunQCg1Pjc14nTjWiP8FCy+NNDK97E
HMAAoIRhikBeM5Lm+6Iu/0h3MX6lDgiR
=LpiV
-----END PGP SIGNATURE-----



More information about the unisog mailing list